So many changes have been made since the original pass that I have revisited the layout of my patches and have squashed many of them together. With these patches, we are fully compatible with the change to disable DENY rules in FreeIPA.
Patch 0001: Add helper function msgs2attrs_array Unchanged from previous versions Patch 0002: Add HBAC evaluator and tests The evaluator library has changed its interface slightly. It now always returns an hbac_info object that contains the name of the rule that matched (if one did). Patch 0003: Add helper functions for looking up HBAC rule components I squashed about six revisions of this work into this patch. This patch does all the work of retrieving the rule components from LDAP and converting them into the evaluator format. Patch 0004: Remove old HBAC implementation Unchanged from previous Patch 0005: Add new HBAC lookup and evaluation routines Like patch 0003, this squashes in all of the assorted fixes that have gone in throughout this process. These are the changes necessary to use patches 0002 and 0003 in the access provider. Patch 0006: Add ipa_hbac_refresh option Mostly unchanged, except I fixed a typo in the manpage Patch 0007: Add ipa_hbac_treat_deny_as option By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period. Patch 0008: Treat NULL or empty rhost as unknown Previously, we were assuming this meant it was coming from the localhost, but this is not a safe assumption. We will now treat it as unknown and it will fail to match any rule that requires a specified srchost or group of srchosts. I left patch 0008 as a separate patch just for clarity, since it was reasonably self-contained. And also so it was clear that I'd addressed Sumit's concern. On Wed, 2011-06-29 at 14:34 +0200, Sumit Bose wrote: > > > 0004: ACK > > NACK > > + /* Get the source host */ > + if (pd->rhost == NULL || pd->rhost[0] == '\0') { > + /* If we haven't been passed an rhost, we > + * have to assume it's coming from the > + * target host > + */ > > this assumption is wrong, if rhost is missing we cannot assume anything > about the remote host. See > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/adg-security-user-identity.html > for details.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel